Skip to content

Latest commit

 

History

History
36 lines (23 loc) · 880 Bytes

DJG103.md

File metadata and controls

36 lines (23 loc) · 880 Bytes

DJG103

This check looks for ways that Django SQL Injection protection is being bypassed in the extra() query set function, by using quoted parameters.

This check will inspect any string literal within the keyword-arguments:

  • "where", "select", "tables", "order_by", "params"

Example

In this example, the value of the othercol is vulnerable to SQL injection:

qs.extra(
    select={'val': "select col from sometable where othercol = '%s'"},
    select_params=(someparam,),
)

This would also apply to the where argument:

MyDataModel.objects.extra(where=['headline="%s"'], params=['Lennon'])

Fixes

Remove the quotations from the string values:

MyDataModel.objects.extra(where=['headline=%s'], params=['Lennon'])

See Also